The Portuguese Data Protection Authority (CNPD) recently approved Resolution 2019/494 (Resolution) determining the non-application of some provisions of Law 58/2019, of August 8th (GDPR Implementation Law), which implements the General Data Protection Regulation (GDPR) in the Portuguese legal system.

In the past, CNPD voiced harsh criticisms against the Portuguese legislator upon the examination of Bill 120/XIII on
the implementation of the GDPR (Opinion 20/2018 of May 2nd 2018).

In its Resolution, CNPD sustains that, in addition to the courts, Public Administration bodies are under the obligation to apply EU law in its entirety, and, if necessary, should flout national provisions hindering the full effectiveness of EU law provisions, in line with the case law of the European Court of Justice (see Fratelli Costanzo ruling).

Thus, with a view to ensuring the principle of the primacy of EU law, as well as the consistent application of the GDPR by the supervisory authorities of all Member States, CNPD resolves that it will not apply certain provisions of the GDPR Implementation Law in the personal data processing operations it may assess, insofar as it considers them to contravene GDPR provisions.

The main provisions are highlighted below:

  • SCOPE AND APPLICATION: application of the GDPR Implementation Law to personal data processing outside the domestic territory, when processed in the context of the activity of an establishment located on domestic territory (Article 2.2(a)).
  • DUTY OF SECRECY: impossibility to exercise information rights and accessing personal data where the law imposes on the controller or the processor a duty of secrecy that is enforceable against the data subject (Article 20.1).
  • DATA PROCESSING BY PUBLIC ENTITIES: possibility of processing personal data by public authorities for purposes other than those that have determined the collection (Article 23).

LABOUR RELATIONS: the invalidity of the employee's consent as a lawful condition for the processing of his/her data, if such processing would result in a legal or economic advantage for the employee (Article 28(3)(a)).


  • Provision, as a very serious administrative offence, for non-compliance with the principles of data processing only in the case of intentional misconduct (Article 37.1(a)).
  • Distinction between failure to comply with the duty to inform the data subject, as a very serious or serious administrative offence, depending on the type of information missing (Article 37.1(h) and Article 38.1(b)).
  • Provision, as a very serious administrative offence, for refusal to cooperate with CNPD (Article 37.1(k)).
  • Provision for different penal frameworks depending on the size and nature of the entity (Article 37.2 and Article 38.2).
  • Establishment of other criteria, in addition to those provided for in the GDPR, which must be observed by CNPD for fine calculation purposes (Article 39.1 and 39.3)

EXPIRY OF CONSENT: provision for the expiry of consent as a motive for termination of the contract to which the data subject is a party, providing that the processing of data is lawful until it occurs (Article 61.2).

PROVISIONS ON DATA PROTECTION: termination of legal provisions providing for personal data processing authorisations or notifications to CNPD, as from the date of entry into force of the GDPR (not its application date on May 25th, 2018) (Article 62.2).

CNPD further clarifies that the non-application, for future specific cases, of the aforementioned legal provisions shall result in the direct application of GDPR provisions which, in this Resolution, CNPD considers to be restricted, contravened or compromised, in their useful effect, by the GDPR Implementation Law.